A Python-based credential testing tool for Instagram that uses wordlist attacks with automatic proxy rotation to avoid rate limiting.
Legal Notice: Use this tool only on accounts you own or have explicit written authorization to test. Unauthorized use violates Instagram's Terms of Service and may be illegal under the Computer Fraud and Abuse Act (CFAA) or equivalent laws in your jurisdiction.
- Wordlist-based credential testing
- Automatic proxy discovery and rotation (via
proxybroker) - CSRF token extraction per login attempt
- Rate-limit detection with configurable cooldown
- Duplicate password filtering and UTF-8 wordlist support
- Python 3.6+
- requests
- proxybroker
- pysocks
Install dependencies:
pip install requests proxybroker pysockspython data/hackinsta.py <username> <passwords_file>| Argument | Description |
|---|---|
username |
Target Instagram username |
passwords_file |
Path to a plaintext wordlist file |
Example:
python data/hackinsta.py myaccount data/passwords.txt- Proxy discovery — Finds up to 20 working HTTP/HTTPS proxies at startup.
- User verification — Confirms the target account exists before proceeding.
- Login loop — Submits each password with a fresh CSRF token; exits immediately on success.
- Proxy rotation — Switches proxy every 15 attempts.
- Rate-limit handling — Detects
429/ checkpoint responses and pauses for 15 minutes before resuming.
Edit the constants at the top of data/hackinsta.py:
| Constant | Default | Description |
|---|---|---|
DELAY_BETWEEN |
4 |
Seconds between login attempts |
| Proxy rotate | 15 |
Attempts before switching proxy |
| Rate-limit wait | 900 |
Seconds to wait on rate-limit (15 min) |
hacj/
├── data/
│ ├── hackinsta.py # Main script
│ └── passwords.txt # Sample wordlist
└── README.md
For educational and authorized security research use only.